Qualys. 


Security Assessment Questionnaire 


Assess business process risk from third parties and 


internal teams 


Qualys Security Assessment Questionnaire 
(SAQ) is a cloud service for conducting 
business process control assessments 
among your external and internal parties to 
reduce the chance of security breaches and 
compliance violations. 


To conduct business process control assessments, 
organizations must poll their third parties — like vendors and 
partners — and their internal staffers and teams. Doing this 
manually, with email and spreadsheets, is erratic, slow, 
inefficient and costly. That puts your organization at increased 
risk of data theft, cyber crime, IP espionage, brand damage 


and government fines. 


Qualys SAQ automates, centralizes and streamlines this entire 
process, including survey design, questionnaire distribution, 
response monitoring, data aggregation and report generation. 
With Qualys SAQ, you'll quickly and precisely identify risky 
security and compliance gaps among internal and external 
parties. Because it is built upon the Qualys Cloud Platform, 
Qualys SAQ lets organizations automate the business process 
risk assessments at scale, meeting the requirements of even 


the largest companies. 
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Dashboard Campaigns Reports Templates Users 


Dashboard 


Last login: Wed 30 Jan 2019 


==: MY ACTIVE CAMPAIGNS 

Title Progress Due Date 

Australian Government Information Security Manual a i 12 Feb 2019 
2 questionnaires 

NIST SP 800-53 Revision 4: Security Control Baseli si yesterday 
1 questionnaire 

GDPR Third Party Vendor Assessment 19 hours ago 
1 questionnaire 

==: LATEST USER ACTIVITY _}, CAMPAIGN DISTRIBUTION 

User Questionnaire Title Progress 30 

James Smith Australian Government Infor... 


Jsmith Due Date: 12 Feb 2019 7/14 answered 25 


Maria Garcia CIS Top 20 Critical Security Contre HN 100 
Mgarcia Due Date: 12 Feb 2019 14/14 answered 


Michael Smith GDPR Third Party Vendor Assessi 


(Neca Foin an AIN Rwneinena 
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Features 


Intuitive campaign design 


SAQ helps create campaign questionnaires with due dates, 
notifications, assigned reviewers, various answer formats, question 
criticality, answer scores, evidence requirements and varying 
workflows. You do this using SAQ’s wizard and its simple, drag-and- 
drop web UI. You can also use SAQ’s library of out-of-the-box 
templates covering common compliance standards and regulations, 
such as the EU’s GDPR. 


Simplified questionnaire distribution 


There’s no need to set up user accounts. Organizations enter vendor 
emails and SAQ auto-provisions the surveys. Respondents complete 
surveys on browser-based forms, and can delegate questions they 
can’t answer. As deadlines approach, administrators can trigger 
reminder emails to respondents. Organizations can also set up 


recurring campaigns. 


Last Update 


an hour ago 


20 hours ago 


20 hours ago 


Automated campaign tracking 


SAQ captures responses in real time and aggregates them in one 
central dashboard, so administrators can see campaigns’ progress. 
SAQ displays charts updated live, and lets administrators drill down to 
individual respondent questionnaires, and slice and dice results. 


Administrators can manage multiple campaigns at different stages of 


completion. 


Comprehensive, customizable reports 


SAQ generates proof of compliance with detailed reports and caters to 
a variety of users, including upper management via executive-level 
dashboards, as well as auditors and compliance officers with more 
granular views of the data. SAQ can also be used for polling your 
employees and managers in internal audits and documenting 
compliance. 


Qualys SAQ automates business process control 
assessments of third parties and internal teams — making 
the process agile, accurate, centralized, scalable and 
uniform across your organization. 


Benefits 


Ke 


A 


Simpler campaign monitoring 


Lets you easily track survey response progress, 


ensuring all questionnaires are completed and 


returned 


Easier data collection 
Captures and stores survey answers online, 
eliminating the need for manual data entry of 


responses 


No more use of email, soreadsheets 
Streamlines and centralizes management of 


campaign process via cloud-based dashboard 


Scale and performance 
Allows you to run multiple, concurrent survey 


campaigns with thousands of respondents 


Quickly design and build your 
questionnaires 


SAQ streamlines your third-party and internal risk assessment 


processes right from the questionnaire creation phase. With SAQ, you 


easily design in-depth surveys to make business-process control 
assessments of security policies and practices of third parties and 
internal staff, and their compliance with industry standards, 


regulations and internal requirements. 


© Let SAQ’s wizard walk you through the creation of campaigns, including 


assigning deadlines and configuring notifications 


© Create questionnaires with SAQ’s drag-and-drop UI, or tap SAQ’s 


template library of surveys for regulations like HIPAA, Basel 3 and SOX, 


and industry standards like PCI 


Require that respondents attach evidence files for certain answers 


prior response 


Q Q QQ 


Design campaigns with different workflows: Accept surveys once 


Form questions with various types of answer formats, such as multiple- 
choice check boxes, drop-down menus and open-ended text boxes 


Configure questions to be dynamically shown or hidden based on a 


they’ ve been completed by respondents, or require extra steps, such as 


supervisor reviews and approvals 


V Assign criticality levels to questions, and a score for answer options in 


the questionnaire templates. The question criticality scale is 
customizable with labels and answer weights 


© Allow respondents to delegate questions to peers that are better able 


to answer them 
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Templates VACuIEAC Library 


X category: "GDPR” 


7 


Total Templates 


CAMPAIGNS 


Launch and track campaigns from SAQ’s 
central console 


The traditional way of conducting these risk assessment surveys - 
emailing questionnaires and tracking responses on a spreadsheet - no 
longer cuts it. SAQ automates these audit campaigns and makes the 
process agile, accurate, comprehensive, centralized, scalable and 


uniform across your organization. 


© Enter respondent emails in the SAQ web console and SAQ auto- 
provisions the surveys, sending out links to the web-based 
questionnaires 


Centrally manage and track the progress of all of your campaigns 


Monitor response activity in dashboards updated in real time, and 
literally watch as questions are answered 


Let supervisors review the format and content of questionnaires before 
they’re launched and even while a campaign is in progress 


Set up recurring campaigns that need to be run with a specific 
frequency 


Q Q Q QQ 


Support a wide variety of risk assessment use cases within your 
organization and externally with your vendors, contractors, partners 
and consultants, including: 


Auditing current vendors to make sure they remain compliant 
e Evaluating vendors bidding for your business 
e Assessing for the first time a key supplier you just signed up 


e Conducting a “postmortem” assessment of a slip-up by one of your 
third parties 


e Verifying your employees understand IT security and compliance 
policies and procedures 


REPORTS TEMPLATES USERS Pushpak Pradhan (quays2pp47) v @ % 


CATEGORY CREATED ON VERSION 


GDPR Accountability and Responsibility Assessment GDPR May 24, 2018 
Questions 16 

GDPR Business Readiness Self-Assessment GDPR May 24, 2018 
Questions 40 

GDPR Data Incident and Breach Notification Assessment GDPR May 24, 2018 
Questions 9 

GDPR Data Inventory and Mapping GDPR May 24, 2018 
Questions 20 

GDPR Data Privacy Assessment in Operations GDPR May 24, 2018 
Questions 38 

GDPR Data Protection and Privacy Impact Assessment GDPR May 24, 2018 
Questions 25 

GDPR Third Party Vendor Assessment GDPR May 24, 2018 PUBLISHED v-1 


Questions 20 


Simplify the process of responding to 
questionnaires 


If the process of filling out a risk assessment questionnaire is 
cumbersome, this will affect the quality and thoroughness of answers 
provided by respondent, as well as their timeliness for completing the 


surveys. SAQ makes the task intuitive with a raft of convenient 
features designed to make life easier for respondents, including. 


© Quickly and efficiently completing questionnaires from any browser at 
any time 


Securely attaching evidence files with drag-and-drop convenience 


Delegating questions to other users or user groups based on their role 


Q Q Q 


Receiving reminder emails regarding due dates and completion status 


Streamline GDPR procedural risk 
assessments 


The EU’s GDPR compliance process requires organizations to perform 
procedural risk assessments, which SAQ can assist you with. Its GDPR- 
specific questionnaire templates break down requirements and help 
assess business readiness for compliance. Using these out-of-the-box 
questionnaires will save you time, effort and resources as you assess 
GDPR procedural compliance and generate reports based on responses. 
SAQ’s GDPR questionnaire templates include: 


© GDPR Business Readiness Self-Assessment 
Designed to identify key areas where operational changes will be 
required and to assist the organization in prioritizing efforts for the 
GDPR compliance. 


© GDPR Data Inventory and Mapping 
Helps in assessing the process to identify, locate, classify and map the 
flow of GDPR-protected data. 


© GDPR Accountability and Responsibility Assessment 
Helps in assessing the process of accountability and responsibility in 
terms of data governance as per GDPR requirements. 


© GDPR Data Privacy Assessment in Operations 
Focuses on assessing the appropriate technical and organizational 
measures to protect EU residents’ personal data from loss or 
unauthorized access or disclosure. 


© GDPR Third-Party Vendor Assessment 
Helps to identify and assess the requirements of the third-party vendors 
you share personal data of EU residents with. 


© GDPR Data Incident and Breach Notification Assessment 
Helps in the assessment of GDPR’s data breach notification and 
communication requirements. 


© GDPR Data Protection and Privacy Impact Assessment 
Helps organizations in the assessment of the privacy risks and data 
protection safeguards of new projects. 


Document, visualize and share campaign 
results 


The goal of these campaigns is to quickly and precisely identify IT 
security and compliance gaps among your network of third parties, 
and within your organization, so you can take appropriate action. SAQ 
gives you all the tools for displaying, understanding, analyzing and 
acting on the collected data. 


© Provide high-level dashboards for executives and detailed views for 
internal auditors and compliance officers 


When generating reports, filter data by question criticality and answer 
scores to derive an overall risk score or identify high risk areas 


Create custom dashboards designed to reflect the risk and compliance 
postures of specific third parties 


Slice and dice campaign results using a variety of criteria, such as by 
vendor, respondent or specific questions 


Generate proof of compliance with detailed reports 


Q Q Q Q 
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<& Edit Template Builder Rules 


Settings 


Australian Government Information Security Manual (ISM) 


Total Questions: 638 


Information Technology S... 


Authority: AA] 
5 N/A 


O Non Compliant 


\ Partially Compliant 


| @ 
1 @ 
| Compliance reporting 


Agencies must adopt a risk-management approach and implement alternative security controls 
which lack available software to enforce the mandatory controls, (b) scenarios or circumstance 
enforcement of the mandatory controls. [Revision: 0; Updated: Apr-13; Applicability: UD, P, C, S, 


>` Fully Compliant 
Select Question type to add 
“a —_ = A — = 
' == Q — = 
33 Formatted Text field Drop Down Yes/No Mutti-select Single-select 
A 
@ Or 
| 
| Product Selection and Ac... Import pre-set Questions and Answers 
| A Simply pick questions from Shared Assessments SIG Question B 
or from templates in our librarv. 


Powered by the Qualys Cloud Platform 
- the revolutionary architecture that powers 
Qualys’ IT security and compliance cloud apps 


Sensors that provide continous visibility Respond to threats immediately 
On-premises, at endpoints or in the cloud, the Qualys Cloud With Qualys’ Cloud Agent technology, there’s no need to 
Platform sensors are always on, giving you continuous 2-second schedule scan windows or manage credentials for scanning. 
visibility of all your IT assets. Remotely deployable, centrally And Qualys Continuous Monitoring service lets you proactively 
managed and self-updating, the sensors come as physical or address potential threats whenever new vulnerabilities appear, 
virtual appliances, or lightweight agents. with real-time alerts to notify you immediately. 

All data analyzed in real time See the results in one place, 

Qualys Cloud Platform provides an end-to-end solution, allowing a nyti me, a nywhere 


YOU GCS NE pepan Eomp exe ntar comen SELECT Qualys Cloud Platform is accessible directly in the browser, no 


Ha Mc gle aaas aly veie Take ele COs. Peo plugins necessary. With an intuitive, single-pane-of-glass user 


Ho obnakce y Renars abe) ciel aS E aCA Ly eia Oore Nae Cele interface for all its apps, it lets you customize dashboards, drill down 


in a scalable, state-of-the-art backend, and provisioning additional into details, and generate reports for teammates and auditors. 


cloud apps is as easy as checking a box. 


Cloud Platform Apps 


Qualys apps are fully integrated and natively share the data they collect for real-time 
analysis and correlation. Provisioning another app is as easy as checking a box. 


Vulnerability Patch Cloud Web Application Security Configuration Security Assessment 
MELAI aa Management Inventory Scanning Assessment Questionnaire 


ACR 
(C SA 


OJA 


Threat Indication of Cloud Security Web Application 
Protection Compromise Assessment Firewall 


Certificate Continuous Certificate Container Policy File Integrity 
Inventory Mceyalixelalare) Assessment Security Compliance MKeyarixe) alate] 


Request a full trial Cunlimited-scope) at 
qualys.com/trial 


It’s an out-of-the-box solution that’s centrally managed and self-updating. 
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